InfoSec Handlers Diary Blog

Our DShield data shows that password guessing attacks against SSH keep going strong. As if this alone were not indication enough that somebody somewhere is collecting bots and making money, we also keep receiving reports and logs from ISC readers who got hit and missed, or even hit and sunk.

While I'm aware that ISC readers probably don't have to be told, let's nevertheless try again to get the word out: If you are running any SSH server open to the Internet, and your usernames and passwords aren't at least 8 characters or so, your box is either owned by now, or about to be. It doesn't matter one bit what sort of device it is - those who run these scans have proven to be equally apt at taking over a Cisco router as they are at subverting an iMac.

Countermeasures shown to help include:

- Filter (by IP) who can get to your SSH. Firewalls rule! Who can't get to your SSH can't brute-force your SSH.
- Reconfigure your SSH to only use password protected SSH keys and not permit plain passwords anymore
- Use hard to guess usernames. Yes, usernames.
- Move your SSH off port 22 to some obscure corner of the port space
- Scan your own network to find out where you have SSH running before others do. You might be surprised ...
- Use "fail2ban", though this doesn't help a lot anymore against the distributed scans we see lately
- Educate your users to use good passwords. Yes, even those users who have proven to be immune to enlightment.
- Watch your logs. It's a great way to learn. And knowing what the "daily noise" looks like is imperative to spot "oddities"

Best is a combination of several of the above. One university I know allows password-based SSH from a couple of known networks only, and insists on certificate-based SSH from all others. A reader, whose systems at a community college had kept getting hammered, had the following anecdote to share: "No matter how hard we try, users keep picking bad passwords. So we decided to give them difficult to guess usernames. If a user's ID is @455%userid, it doesn't matter much anymore how dumb his password is!"

Before you purists now rush to the contact button at the top of our page -- yes we know that picking complicated usernames and moving SSH off port 22 are "security by obscurity" and not real security. But fact is that they both help to thwart the rampant brute force attacks. Bulletproof is nice, but if it can't be had, good camouflage sure beats being a plum target!

Let us repeat: SSH password guessing break-ins happen daily. If you haven't taken this seriously so far, DO SO NOW.

Update: http://wiki.centos.org/HowTos/Network/SecuringSSH contains a decent list of tips on how to secure sshd.